Here is what i have been tasked to seek out and report back on.
I have been asked to draw up and design a laptop setup that can be used by a large fortune 500 company for their top level executives and board members. These people will have classified proprietary data valued in excess of one million dollars.
The users of these computers are VAGUELY competent at the windows operating systems, understanding the basics of MS Office apps and email/web surfing capabilities. All that they require is the ability to draft and recieve MS office documents, web surfing, email and the ability to connect to the corporate intranet.
The owners of the laptops will be using them in their offices, board rooms, home and on travel.
What the CIO wants to see is what configuration options and setup can be drawn up that would provide for an extremly secure working environment.
One addition that i have no control over is a remote transmitter installed in the laptop, using a GPS sattelite transmitter/reciever imbedded in the laptop with a thin somewhat hidden antenna on the exterior. This is a custom install and will be done at the end.
I was thinking of doing the following, but keep in mind this:
The majority of the effort is to try adn reduce the risk of physical theft of the laptop, or physical access ot the laptop where key loggers and other applications can be installed.
IBM laptop, supposidly has hte most secure BIOS. Idealy if there was some hack that could be setup so that the bios password, if forgoten would make the laptop completly useless would be prefered. But i heard IBM laptops are quite good at their bios passwords.
Removal of the CD-Rom and A: drive (once hte system is fully setup of course. Back up done by in house tech support weekly/monthly where they connect an external firewire cd-r drive and place backuped CD's in a vault)
So bootup and setup bios password protection.
OS: Windows 2000 Pro.
Yes im very certain that one of the BSD's would be a much better suggestion as a OS however, FUNCTIONALITY has to be maintained, and to be honest there was a huge re education initiative seutp just to show these people how to work Win2k from their win95 desktops, throwing a unix os and star office IS NOT AN OPTION. I know from a technical standpoint that there are better solutions to win2k, however any signifigant user intervention and training of these types of people is frowned upon. They dont want to be bothered with whats under the hood, they want the familar steering wheel and pedal where it has always been before so to speak, yet providing ultimate protection as stated above.
Disable the admin account so no further files can be installed.
Apply the various security options available and create a very strict security policy in win2k. Install Network Associates PGP corporate office program suite to encrypt email and files with PGP. Of course everything will be on a NTFS partition. A second partitoin using PGP's software app to create a secure encrypted partition to store data files on.
Connect to anything will be via a VPN using ipsec or anyother high quality secure direct connection either via 56K dial up (when they are away) or 10/100 lan card when in the office.
Zonealarm firewall program, with only the ports for web, email, VPN and one or two tele conference packages enabled. Everything else denied.
The users will not be connected to the net 24/7. Only when checking email or transfering files with others.
Various warning stickers and asset tracking stickers to disuade any thief from stealing the laptop.
A glare hood that covers the top and sides of the laptop making it difficult for a camera to record the screen or keypresses when in a hotel outside of the office.
Some sort of logic bomb type device that would be triggered if any physical access is made to extract the hard drive destroying it in whatever manner possible... im hoping there is an explosive option out there
Again, the stress on the security of the laptop is not hackers or sniffers on the network. Everything that htey do will be encrypted, the real big fear is physical loss of the laptop, hence the GPS reciever in the laptop, the idea being that if their laptop is stolen they can quickly trace it down almost anywhere in teh world. Another fear is the disclosure of their secrets keys, either being stolen off of their laptop when they are logged in or by some sort of key logger.
The budget for EACH laptop can not exceed $25,000
anyone got any other ideas?
what about going for a full tempest proof secure system?
removal of the serial, parallel and usb ports was suggested as well, and some sort of locking mechanism to be inserted into the PCMCIA slot when not in use.
I have been asked to draw up and design a laptop setup that can be used by a large fortune 500 company for their top level executives and board members. These people will have classified proprietary data valued in excess of one million dollars.
The users of these computers are VAGUELY competent at the windows operating systems, understanding the basics of MS Office apps and email/web surfing capabilities. All that they require is the ability to draft and recieve MS office documents, web surfing, email and the ability to connect to the corporate intranet.
The owners of the laptops will be using them in their offices, board rooms, home and on travel.
What the CIO wants to see is what configuration options and setup can be drawn up that would provide for an extremly secure working environment.
One addition that i have no control over is a remote transmitter installed in the laptop, using a GPS sattelite transmitter/reciever imbedded in the laptop with a thin somewhat hidden antenna on the exterior. This is a custom install and will be done at the end.
I was thinking of doing the following, but keep in mind this:
The majority of the effort is to try adn reduce the risk of physical theft of the laptop, or physical access ot the laptop where key loggers and other applications can be installed.
IBM laptop, supposidly has hte most secure BIOS. Idealy if there was some hack that could be setup so that the bios password, if forgoten would make the laptop completly useless would be prefered. But i heard IBM laptops are quite good at their bios passwords.
Removal of the CD-Rom and A: drive (once hte system is fully setup of course. Back up done by in house tech support weekly/monthly where they connect an external firewire cd-r drive and place backuped CD's in a vault)
So bootup and setup bios password protection.
OS: Windows 2000 Pro.
Yes im very certain that one of the BSD's would be a much better suggestion as a OS however, FUNCTIONALITY has to be maintained, and to be honest there was a huge re education initiative seutp just to show these people how to work Win2k from their win95 desktops, throwing a unix os and star office IS NOT AN OPTION. I know from a technical standpoint that there are better solutions to win2k, however any signifigant user intervention and training of these types of people is frowned upon. They dont want to be bothered with whats under the hood, they want the familar steering wheel and pedal where it has always been before so to speak, yet providing ultimate protection as stated above.
Disable the admin account so no further files can be installed.
Apply the various security options available and create a very strict security policy in win2k. Install Network Associates PGP corporate office program suite to encrypt email and files with PGP. Of course everything will be on a NTFS partition. A second partitoin using PGP's software app to create a secure encrypted partition to store data files on.
Connect to anything will be via a VPN using ipsec or anyother high quality secure direct connection either via 56K dial up (when they are away) or 10/100 lan card when in the office.
Zonealarm firewall program, with only the ports for web, email, VPN and one or two tele conference packages enabled. Everything else denied.
The users will not be connected to the net 24/7. Only when checking email or transfering files with others.
Various warning stickers and asset tracking stickers to disuade any thief from stealing the laptop.
A glare hood that covers the top and sides of the laptop making it difficult for a camera to record the screen or keypresses when in a hotel outside of the office.
Some sort of logic bomb type device that would be triggered if any physical access is made to extract the hard drive destroying it in whatever manner possible... im hoping there is an explosive option out there
Again, the stress on the security of the laptop is not hackers or sniffers on the network. Everything that htey do will be encrypted, the real big fear is physical loss of the laptop, hence the GPS reciever in the laptop, the idea being that if their laptop is stolen they can quickly trace it down almost anywhere in teh world. Another fear is the disclosure of their secrets keys, either being stolen off of their laptop when they are logged in or by some sort of key logger.
The budget for EACH laptop can not exceed $25,000
anyone got any other ideas?
what about going for a full tempest proof secure system?
removal of the serial, parallel and usb ports was suggested as well, and some sort of locking mechanism to be inserted into the PCMCIA slot when not in use.
Facebook
Twitter